Anonymous? We Know Who You Are
Anonymity systems may not be so anonymous, after all. Plus: Google and Symantec screw up; hacker gets jail time; village wants to digitally disappear.
Steven J. Murdoch has published an extremely interesting paper
as part of a dissertation for his work at the University of Cambridge. He has examined the use of covert channels and how they can be detected. In particular, Murdoch has looked at anonymity systems, or systems intended to hide your identity, and suggests ways in which it may be possible to glean valuable information simply from observation.
The bottom line: While an anonymity system may hide your actions from trivial or even traditional examination, it may not provide the level of anonymity you believe it does if scrutinized seriously. Further, while many such systems use covert channels -- or channels other than those expected -- to communicate, those methods may not always work. If the protocol the covert channel alleges to be safe is fully examined, covert transmissions may stand out as non-standard. Murdoch's paper is well worth the read.
Google Does Unintended Evil to Gmail Accounts
An unknown number of Google Gmail subscribers were surprised to find their accounts disabled and mail to them was being bounced, according to this report from NetworkWorld. Google admitted that there had been a problem in its method of rooting out spammers and that it had mistakenly disabled accounts of innocent individuals. The company said that the problem had been corrected and users should not have lost any existing mail.
If the accounts were disabled, then it is unlikely any messages sent during that time would be resent. However, you have to remember: You get what you paid for! As a free service, you’re accepting whatever is given you for free. Buyer beware.
Oops! Symantec Files Cybersitter Under Malware
In the third such event in 2007, Norton Internet Security has identified as malware a program that prohibits Internet access in order to protect children. The program this time was Solid Oak’s CyberSitter. In doing so, the NIS action disabled Internet access on the affected systems. (See PCmag.com's report here.)
Solid Oak was very upset, as Symantec had told the company that Symantec would field customer inquiries via a support number. That number appeared not to be functioning and nstead, customers were sent to an online support forum. The fix was to temporarily disable NIS, get an update from Symantec, and start NIS again.
The problem appears to stem from attempts by Symantec to identify “parental control” software programs. In this case, as the program was being reclassified as a “parental control,” it was first tagged as malware, which either deleted or quarantined it.
Aggie Gets Five for Hacking
Luis Castillo, a 23 year-old graduate of Texas A&M, hacked into the school’s computers and obtained the user IDs and password for more than 133,000 students, according to this Associated Press report. Castillo admitted to breaking into the systems and has been sentenced to five months of prison and five months home detention. He was also ordered to reimburse the University for more than $65,000 in expenses investigating the crime.
Considering he faced 5 years of prison, this sentence seems light.
column was originally published in our weekly Redmond Security
Watch newsletter. To subscribe, click here.
Road to Nowhere
Here's an interesting security problem of another sort: Barrow Gurney, a small town in the south west of England, has asked Tele Atlas to take the town and its roads off the maps that supply data to GPS navigation systems (read the story here). The town says its roads are inadequate for large truck traffic, yet drivers have no idea until they are passing through the town.
More than 15,000 vehicles per day pass through Barrow Gurney despite the fact its roads aren’t even paved. Anyone who’s ever asked his GPS nav to show the shortest route has likely ended up on a road they wished they’d never seen. Unfortunately, despite a fair amount of metadata on some of the more sophisticated systems, the data can often be incomplete or downright inaccurate.
It's extremely unlikely, if not impossible, to take a town and/or its roads off the GPS system but there is a way of usually avoiding such roads. Most systems provide the fastest route by virtue of the speed limits on the roads. By asking for the fastest route, you’re far more likely to stay on more substantial roads.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.